From 6e9219f77522de902658a7818894358080a93435 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Tue, 20 Dec 2016 09:48:14 +0100
Subject: [PATCH] capabilities.7: Further enhance the recommendation against
 new uses of CAP_SYS_ADMIN

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/capabilities.7 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 1462aa813..004a7f220 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -783,8 +783,12 @@ choose
 .B CAP_SYS_ADMIN
 if you can possibly avoid it!
 A vast proportion of existing capability checks are associated
-with this capability,
-to the point where it can plausibly be called "the new root".
+with this capability (see the partial list above).
+It can plausibly be called "the new root",
+since on the one hand, it confers a wide range of powers,
+and on the other hand,
+its broad scope means that this is the capability
+that is required by many privileged programs.
 Don't make the problem worse.
 The only new features that should be associated with
 .B CAP_SYS_ADMIN